Attacking Webmail User Accounts

Webmail is absolutely everywhere. I rarely come across a corporate network that doesn’t have Outlook Web Access, Groupwise, or some other variant of webmail listening. Being able to get at email accounts from the Internet can save employees a lot of time and headache, but using those accounts with weak passwords can result in an even larger headache. Knowing how the majority of the planet uses email (sending some pretty sensitive data) this creates a large risk for most any company. I’ll run through a quick list of tools and processes that I use to test the strength of webmail logins.

The first part of any password attack is gathering valid usernames. For attacks against webmail, this usually means scouring the target’s web sites looking for either specific usernames, or the naming structure for their accounts. The latter is easy – you can dig through the targets website and collect names of employees, and rewrite them to fit the company’s standard account naming policy(Joe User becomes joe.user, juser, joeuser, etc). There are also some tools that automate the gathering of this information:

Metagoofil – Metagoofil will search a particular domain or website, download all the documents from it, and parse the metadata looking for usernames, internal file locations, and lots of other info. You can get an absolutely incredible amount of information from metadata.

FOCA – Much like Metagoofil, but appears to strip out even more information from documents. This tool recently debuted at Defcon17.

theHarvester – This tool also does a good job of utilizing search engines to gather email addresses and usernames. It searches social networking sites, the PGP key repositories, and uses general search engine tactics as well.

There are many other ways to enumerate usernames from public resources, but these tools should give a good starting point. Use them in combination along with some manual searching to create a username list.

Once we have our list of users, we can move on to creating a password list. There are many ways to construct a valid password list for a specific target. I like to start by grabbing the DPL (Default Password List) and stripping out any vendor specific stuff. Ill then add in the old favorites such as all the variations on Password1. Then, ill start looking for some more specific words. Ill do some research on the target, and include things like the business name, local sports teams, addresses and universities. Ill then use a application like John the Ripper to run permutations on the list we just created. John lets you specify custom permutations rules, and can take the word ‘redspin’ and output redspin, Redspin, red-spin, redspin1, Red-spin1, etc.

Now that we have some valid usernames and a relevant password list, we can move into the attack. There are few tools to help automate password attacks against webmail login pages, but the few that exist are quite handy:

WMAT – Web Mail Auth Tool. A tool that supports multiple ‘patterns’ for setting up attacks against different webmail services. It currently includes patterns for horde, hordeIMP, kerio, mdaemon and squirrelmail. The structure is pretty easy to write new patterns for if you need to test a unique login page.

That’s all there is to it. We have collected valid usernames from the target, created some customized password lists, and have listed some tools you can use to tie it all together. One thing to keep in mind is the use of lockout policies. The last thing you want to do it lock out a bunch of live email accounts, so unless you know the lockout threshold (if there is one), you might want to limit the password guesses per account to something sane.

With an over 15-year successful track record, Redspin is one of the most trusted cyber security names in the industry. Our proven real-world approach has been applied and refined throughout 1000's of security assessments, giving you the best possible return on your investment.

Our world-class award winning security engineering team is on the front lines every day, ensuring our clients are protected from the latest 'in-the-wild' threats and exploits.